NAVAL POSTGRADUATE SCHOOL 
Monterey, California 




THESIS 



DETECTING POTENTIAL SYNCHRONIZATION 
CONSTRAINT DEADLOCKS FROM 
FORMAL SYSTEM SPECIFICATIONS 

by 

Jeffrey Mark Schweiger 
March, 1992 

Thesis Advisor: Valdis Berzins 



Approved for public release; distribution is unlimited. 



T258654 



iCURITY CLASSIFICATION OF THIS PAGE 



REPORT DOCUMENTATION PAGE 



a. REPORT SEdJhltY CLASSIFICATION UNCLASSIFIED 


ib. RESTRICTIVE MARKINGS 


!a SECURITY CLASSIFICATION AUTHORITY 


3. OISTRIBUTION/AVAILAbILITY 6F REPORT 
Approved for public release; 
distribution is unlimited 


!b. DECLAS$IFICATI0N/D0WNGRA6ING SCHEDULE 


PERFORMING ORGANIZATION REPORT NUMBER(S) 


5. MONITORING ORGANIZATION REPORT NUklBER(S) 


la. NAME OF PERFORMING ORGANIZATION 
computer Science Dept. 

'laval Postgraduate School 


6b. OFFICE SYMBOL 
(if applicable) 

cs 


7a. NAME OF MONITORING ORGANIZATION 
Naval Postgraduate School 


>c. ADDRESS (City. State, and ZIP Code) 

Vlonterey, CA 93943-5000 


7b. ADDRESS (City. State, and ZIP Code) 

Monterey, CA 93943-5000 


la. NAME OF FUNDING/SPONSORING 
ORGANIZATION 


8b. OFFICE SYMBOL 
(if applicable) 


9. PROCUREMENT INSf fiUMENT IDENTIFICATION NUMBER 


)c. ADDRESS (City, State, and ZIP Code) 


10. SOURCE OF FUNDING NUMBERS 


PROGRAM 
ELEMENT NO. 


PROJECT 

NO. 


TASK 

NO. 


WORK UNIT 
ACCESSION N< 



1 . TITLE (Include Security Classification) 

DETECTING POTENTIAL SYNCHRONIZATION CONSTRAINT DEADLOCKS FROM FORMAL SYSTEM SPECIFICATIONS 



J. PLf^oNAL AUtMoRiSj 

>chweiger, Jeffrey Mark 



3a. TYPE QF REP.ORT 

Master s Thesis 


13b. TIME66VEREb 

from 03/89 to 03/92 


14. DATE OF REPORT (Year. Month, Day) 

March 1992 


15. PAGE COUNT 
81 


6 SUPPLEMENTARY NOTATIOTf 


he views expressed in this thesis are those of the author and do not reflect the official 



x>licy or position of the Department of Defense or the United States Government. 



7. COSATI CODES 


FIELD 


GROUP 


SUB-GROUP 















18. SUBJECT TERMS (Continue on reverse if necessary and identify by block number) 

Deadlock, Formal Specification, Software Engineering, Distributed Systems 
Concurrent Systems, Regular Expressions, Sychronization 



9. ABSTRACT (Continue on reverse if necessary and identify by block number) 



This thesis describes a conceptual design for a software tool for automatic detection of synchronization constraini 
ieadlock from the formal specification of a distributed system. The formal specification language Spec is used to 
iefine the distributed system. The basic algorithm used is introduced using a graphical representation, and its 
jperation illustrated via an example. 



“blslRIBUTIoN/ AVAILABILITY of ABsTRAcT 

[Xj UNCLASSIFIED/UNLIMITED □ SAME AS RPT. 


□ DTIC USERS 


21. ABSTRACT sLcURITycCAssITIcATioM 
UNCLASSIFIED 


!2a,NAM£ OF RESPONSIBLE INDIVIDUAL 

/aldis Berzins 


22b. TELEPHONE jVnctote Area Code) 

(408) 646-2461 


22c^^CE SYMBOL 



D FORM 1473,84 MAR 



SECURITY CLASSIFICATION OF THIS PAGE 



83 APR edition may be used until exhausted 
All other editions are obsolete 



UNCLASSIFIED 



Approved for public release; distribution is unlimited. 



Detecting Potential Synchronization 
Constraint Deadlocks from 
Formal System Specifications 

by 

Jeffrey Mark Schweiger 
Lieutenant Commander, United States Navy 
S.B., Massachusetts Institute of Technology, 1975 
M.S., Naval Postgraduate School, 1982 

Submitted in partial fulfillment 
of the requirements for the degree of 

MASTER OF SCIENCE IN COMPUTER SCIENCE 

from the 

NAVAL POSTGRADUATE SCHOOL 
March 1992 



department of Computer S 



cience 



ii 



ABSTRACT 



This thesis describes a conceptual design for a software 
tool for automatic detection of synchronization constraint 
deadlock from the formal specification of a distributed 
system. The formal specification language Spec is used to 
define the distributed system. The basic algorithm used is 
introduced using a graphical representation, and its operation 
illustrated via an example. 



iii 



t,t 

TABLE OF CONTENTS 

I . INTRODUCTION 1 

A. PURPOSE 1 

B . DEADLOCK 2 

C. FORMAL SOFTWARE SPECIFICATION METHODOLOGY ... 3 

D. SIMPLIFYING ASSUMPTIONS 5 

E. OVERVIEW 5 

II. BACKGROUND 7 

A. REVIEW OF FORMAL SPECIFICATION METHODOLOGIES . 7 

1. Petri Nets 8 

2. Communicating Finite State Machines (CFSM) . 12 

3. Systems of Communicating Machines (SCM) . . 14 

4 . Statecharts 16 

5. Z 16 

6. VDM 17 

7 . Larch 18 

8. SDYMOL 18 

9. Communicating Sequential Processes (CSP) . . 20 

10. Calculus of Communicating Systems 21 

11. Temporal Logic 22 

12. Transition Axioms 23 

13 . LOTOS 24 

iv 



14 . Gypsy 24 

15. Anna 27 

16. Spec 29 

B. APPROACHES TO DEADLOCK DETECTION 30 

1. Static Analysis 30 

2. Petri Nets 31 

3. Temporal Logic 32 

4 . Control Flow Analysis 33 

5. Failures Model 35 

6. Symbolic Execution 35 

C. APPLICABILITY OF EXISTING TOOLS FOR DEADLOCK 

DETECTION 36 

III. DEVELOPMENT OF THE DEADLOCK DETECTION ALGORITHM . 37 

A. DEFINITIONS 37 

1. Deadlock 3 7 

2. Starvation 37 

3. Livelock 3 8 

4 . Looping 38 

B. REQUIREMENTS FOR A DEADLOCK DETECTION TOOL . . 38 

1. Approach 3 8 

2. Identification of End User 39 

3. Specification of Desired Input and Output of 

Tool 3 9 

C. SELECTING THE SPECIFIC SPECIFICATION FORMALISM 40 

D. INTRODUCTION TO SPEC 41 



v 



1. Atomic Transactions 41 

2 . Deadlock 44 

3. Starvation 45 

4 . Livelock 4 5 

5. Looping 45 

E. DETECTING DEADLOCK IN SPEC SPECIFICATIONS ... 46 

1. Atomic Transactions Necessary for Deadlock to 

Occur 4 6 

2. Attributes for Deadlock Detection 46 

a. Unique Identification 46 

b. Message Preconditions 47 

c. Completion 47 

3. Regular Expressions 47 

4. Context Free Expressions 47 

F. INTRODUCING THE ALGORITHM 4 8 

1. Message Graphs 48 

2 . Partial Behavior Graphs 51 

3 . Behavior Graphs 52 

4 . Reduced Behavior Graphs 59 

5. Constraining the Behavior Graph 61 

G. COMPLEXITY 62 

IV. CONCLUSIONS 63 

A. SUMMARY 63 

B. IMPORTANCE OF RESEARCH RESULTS 63 

C. PROPOSED EXTENSIONS 64 



vi 



LIST OF REFERENCES 65 

INITIAL DISTRIBUTION LIST 69 



vn 



LIST OF TABLES 



TABLE I FORMAL DEFINITION OF A PETRI NET 8 

TABLE II CFSM PROTOCOL DEFINITION 13 

TABLE III SCM MODEL 15 



viii 



LIST OF FIGURES 



Figure 2.1 Simple Petri Net 9 

Figure 2.2 Two Machine CFSM 14 

Figure 2.3 Example Gypsy Specification 26 

Figure 3.1 Spec Transaction Syntax Diagram 43 

Figure 3.2 Graph Representations 49 

Figure 3.3 Algorithm Create_message_graph 50 

Figure 3.4 Example Message Graph 51 

Figure 3.5 Specification of a Sender Protocol .... 53 

Figure 3.6 Partial Behavior Graph of transfer(dsender . 54 

Figure 3.7 Behavior Graph of Transaction 

transfer(dsender 55 

Figure 3.8 Specification of a Receiver Protocol ... 56 

Figure 3.9 Partial Behavior Graph of receive(dreceiver 57 

Figure 3.10 Behavior Graph of Transaction 

receive(dreceiver 58 

Figure 3.11 File Transfer Protocol Stimulus Response 

Graph 59 

Figure 3.12 Algorithm Reduce_Behavior_Graph 60 

Figure 3.13 Reduced Behavior Graph of receive(3receiver 61 



IX 



ACKNOWLEDGMENT 



I would like to express my deep gratitude to my parents 
for their support. I also want to acknowledge the many 
friends, colleagues and advisors I have had during my 
research. It would take too long to acknowledge them all (and 
would resemble the departmental roster) . My advisors for this 
Master's Thesis, Professors Valdis Berzins and Luqi, made this 
process an enjoyable one. The members of my doctoral 
committee, not involved with this thesis. Professors Man-Tak 
Shing, Bert Lundy, Carl Jones and Jim Eagle, have been there 
when I needed their expertise and support. Hopefully, it will 
not be too long before they get to help me finish my 
dissertation. Professor Tim Shimeall has also been of great 
help during my research. Jon Hartman, Dave Pratt and 
Commander Gary Hughes were valued friends as I performed this 
work. In addition to his role as Curricular Officer, 
Commander Tom Hoskins was also a vital friend and advisor. 

I would be remiss if I didn't single out the 
administrative, technical and operations staff of the Computer 
Science department. The effort and friendship, on a daily 
basis, of Hank Hankins, A1 Wong, Rob Cortilla, Hollis Berry, 
Bernadette Brooks, Rosalie Johnson, Walt Landaker, Chuck 
Lombardo, Shirley Oliveira, Frank Palazzo, Jenny Stevens, Russ 
Whalen, Sue Whalen, Mike Williams, and Terry Williams is what 
really makes this department function. 



x 



I. 



INTRODUCTION 



A. PURPOSE 

Our goal is to develop a software tool to automatically 
detect the possibility of deadlock in a distributed system 
from the formal specification of that system. The software 
tool will take a formal specification of a distributed system 
as input, and will evaluate whether or not that system, as 
specified, has the potential for deadlock. The tool will 
indicate whether or not the design has potential for deadlock, 
and will produce a graphic depiction of the specification. 
The initial scope of this tool will be limited to 
synchronization constraints on sequences of events that can be 
described using regular expressions. Accesses to such shared 
resources are subject to synchronization constraints that can 
lead to deadlock situations if not designed properly. The 
proposed tool will detect this type of design fault. 

Formal specifications can provide a precise 'black-box' 
description modeling the behavior of a software system. The 
behavior modeled by the formal specification consists of the 
interactions of a software system with other software systems 
or the external world (e.g., operator commands). 

Distributed systems are collections of computers that 
appear as a single machine to its users (Tanenbaum, 1984). In 



1 



a distributed system the interactions modeled by the formal 
specification extend to the use of shared, critical resources 
(such as common data bases). 

B . DEADLOCK 

Informally, a state of deadlock occurs if a process in a 
system, or an entire distributed system, waits for a 
particular event that cannot occur (Deitel, 1990). For 
example, a deadlock occurs if processor A has control of 
resource 1 and needs resource 2 to complete a task, while 
processor B has control of resource 2 and needs resource 1 to 
completes its task and neither processor will yield the 
resource it controls until it completes its assigned task. 
Each processor is waiting for a particular event that cannot 
occur (the availability of an unavailable resource) and is 
unable to proceed. This example describes a two-process 
deadlock. The example illustrates a resource deadlock 
(Chandy, 1983), a deadlock situation that arises because 
processes are permanently waiting for resources held by each 
other . 

A similar situation occurs when a system (or module) 
enters a state from which no transitions to other states are 
possible (i.e., a "trap state"). Such a process is not 
waiting for an event to occur; there are no events specified 
that could allow the module to return to a state from which 
useful work might be performed. This might be caused by error 



2 



handling policies that did not return the module to an 
operating state (abnormal termination). This module, however, 
may need to generate or pass a message or event to another 
module or system, causing that process to block. This is an 
example of a communications deadlock. A process deadlocked 
because of communications may be able to proceed upon receipt 
of a message from one of several processes from which it may 
be communicating. 

The major difference between resource and communications 
deadlocks is that, in the case of resource deadlock, processes 
cannot proceed until they receive all of the resources that 
they require. In the case of a communications deadlock, the 
receipt of at least one of several potential messages may 
permit the resumption of execution. The communications model 
is considered to be more general than the resource model of 
deadlock. (Chandy, 1983) 

Deadlock and certain associated terms are more formally 
defined in Chapter III. 

C. FORMAL SOFTWARE SPECIFICATION METHODOLOGY 

Formal software specification methods use formal 
languages. A formal language is a set of finite length 
strings of symbols over some alphabet, where the alphabet is 
"a finite set of symbols" (Hopcroft, 1979). With respect to 
computer languages, the alphabet "consists of the permissible 
keywords, variables, and symbols of the language" (Sudkamp, 



3 



1988). In applying these concepts to the specification of 
software systems : 

"Formal methods used in developing computer systems are 
mathematically based techniques for describing system 
properties. Such formal methods provide frameworks within 
which people can specify, develop, and verify systems in 
a systematic, rather than ad hoc, manner. 

A method is formal if it has a sound mathematical basis, 
typically given by a formal specification language. This 
basis provides the means of precisely defining notions 
like consistency and completeness and, more relevantly, 
specification, implementation, and correctness. It 
provides the means of proving that a specification is 
realizable, proving that a system has been implemented 
correctly, and proving properties of a system without 
necessarily running it to determine its behavior. " (Wing, 
1990) 

We can use a formal language consisting of a "clearly 
defined syntax and semantics" to formally specify and describe 
the interfaces of a system or component (Berzins, 1988). 

There are many formal specification methodologies 
available. Some are frequently found in a graphical form, 
such as Petri Nets (Murata, 1989), Communicating Finite State 
Machines (CFSM) (Brand, 1983), and Systems of Communicating 
Machines (Lundy, 1988). Others are normally found in a 
textual form, but can be converted into a graph form for 
deadlock detection analysis. For this project, one of the 
latter, the formal specification language Spec (Berzins and 
Luqi, 1991), (Berzins, 1991), is used. Spec, in particular, 
concisely describes the atomic transactions that can cause the 
occurrence of deadlock. 

The basic units or modules of Spec are definitions, 
functions, types, machines, and instances. A machine is a 



4 



system with a memory capable of remembering a state. A type 
is a module that defines an abstract data type, consisting of 
a set of values and a set of primitive operations on that 
value set. If a type module has operations that modify the 
value set or change existing instances of the type, it has an 
internal state. 

Chapter II contains a more detailed discussion of formal 
specification methodologies . 

D. SIMPLIFYING ASSUMPTIONS 

Some of the approaches previously used in evaluating 
deadlock potential have been shown to be undecidable in the 
general case. It has not yet been demonstrated whether or not 
this is true for the approaches I am investigating. The 
initial algorithm development discussed in this thesis will be 
restricted to situations that can be proved decidable. To 
ensure this, I will restrict my evaluation to those systems 
whose synchronization constraints can be represented using 
regular expressions . 

E . OVERVIEW 

In this chapter, I have introduced the goals of this 
research and informally discussed the topics of deadlock and 
formal software specification methodologies. In the remainder 
of this thesis, these topics are explained in more detail, and 



5 



a method for automatic detection for deadlock detection is 
presented . 

Chapter II summarizes the background for my research, and 
includes a review of several formal software specification 
methodologies . I also describe some previous approaches to 
detecting deadlock potential in distributed system, and the 
applicability of existing software tools in this endeavor. 

In Chapter III, I formally define deadlock and certain 
related terms, and summarize the requirements analysis for a 
deadlock detection software tool. I also discuss my rationale 
for choosing Spec as the specific formal specification 
methodology used in the model. This chapter also outlines the 
algorithmic approach I propose for automatic detection of 
deadlock potential, and gives an example of its use. 

Chapter IV summarizes the results of the research and 
describes proposed extensions and additional necessary work. 



6 



II. BACKGROUND 



A. REVIEW OF FORMAL SPECIFICATION METHODOLOGIES 

There are many different methodologies available for use 
in the formal specification of systems. These methodologies 
may be categorized in many different ways. These 
characteristics include, but are not limited to, whether or 
not a method is graphical in nature, is model based or 
property based, what the underlying mathematical system is, 
intended for sequential and/or concurrent systems, etc. The 
approach I take toward deadlock detection in Chapter III is 
derived from graph theory, but requires a character oriented 
machine readable specification method. In addition, to be 
useful for deadlock detection, the specification methods used 
must be able to specify characteristics of concurrent, 
distributed systems. Separate, sequential systems that do not 
interact with other systems are of no interest for this 
application. Formal methods that can be used for specifying 
large software systems are of particular interest, as this is 
a requirement for real-world applications. 

In the following paragraphs, I summarize several such 
methodologies, commenting on many of their characteristics. 
While the list is clearly not all inclusive, it is 
representative of the many specification formalisms available. 



7 



1 . 



Petri Nets 



A Petri net is a graphical and mathematical tool 
useful in expressing concurrency and parallelism. 

Petri nets consist of a particular type of directed 
graph, known as a bipartite graph, and an initial state, or 
initial marking . The directed, bipartite graph of a Petri net 
may be weighted, and has two kinds of nodes, places and 
transitions . Arcs in a Petri net start at a place and 
terminate at a transition, or start at a transition and end at 
a place. States are represented by Petri net markings , where 
a marking is a function that assigns a non-negative integer 
value to each place. This assignment is represented by 
tokens, where if the non-negative integer value, k, is 
assigned to place, p, we say that p has k tokens. The formal 
definition of a Petri net is given in Table I (Murata, 1989). 
TABLE I FORMAL DEFINITION OF A PETRI NET 

A Petri net is a 5- tuple, PN- {P, T, F, W, M 0 ) where: 

•P={Pi»P 2 » • • • ,P m ) is a finite set of places, 

T={tf, t ? , , t n ) is a finite set of transitions, 

Fc(PxT) U ( TxP) is a set of arcs ( flow relation) , 

W:F~{ 1,2,3,...} is a weight function, 

Mg : P- {0,1,2, 3, . . .} is the initial marking, 

P n r=0 and P U 7*0. 

A Petri net structure N=(P,T,F,W) without any specific initial 

marking is denoted by N. 

A Petri net with the given initial marking is denoted by (N, Mg) . 



The conventional graphical representation of Petri 
nets use circles for places and bars as transitions. Tokens 
are represented by small dots. A simple Petri net is shown in 



8 



Figure 2.1. Petri net weights may be represented by either 
multiple arcs of weight one between places and transitions, or 
by labeling arcs with a specific weight. 

In modeling an event or computational step, the 
transition represents the event, and places, conditions. The 




Figure 2.1 Simple Petri Net 

places prior to the transition, or input places, represent 
pre-conditions and the output places following the transition, 
post -condi tions . 

Events occur, and the marking or state changes, when 
a Petri net transition fires. A transition, t, fires after it 
has been enabled, which means that each input place, p it for 
that transition is marked with at least the number of tokens 
indicated by the weight of the arc from p i to t . In a Petri 
net where all arcs have weight one, the firing of a transition 



9 




removes one token from each input place of the transition and 
adds one token to each output place of the transition. 

In classical Petri nets, the time from when a 
transition, t, is enabled until it fires is indeterminate. 
Similarly, if two different transitions, t x , t 2 , are enabled 
concurrently, the order of firing of t x and t 2 is indeterminate 
(Coolahan, 1983). Transitions can therefore be in conflict if 
the firing of one enabled transition causes the disabling of 
another enabled transition. 

Petri nets can be used in the modeling of finite state 
machines, parallel activities, dataflow computation, 
communication protocols, multiprocessor systems, 
synchronization control of multiprocessor and distributed- 
processing systems and formal languages. Behavioral 
properties including reachability, boundedness, liveness, 
reversibility and fairness have been modeled using Petri nets 
(Murata , 1989 ) . 

Reachability in a Petri net is the determination of 
whether, given an initial marking, M 0 , and a desired marking, 
M n , there exists a sequence of firings that will transform M 0 
to M n . (Kosaraju, 1982) and (Mayr, 1984) have shown that 
Petri net reachability is decidable, though it does require at 
least exponential space and time. Reachability is the 
fundamental, underlying method used in evaluating all of the 
Petri behavioral properties noted above. 



10 



A Petri net (N, M 0 ) is called k-bounded (or bounded) 
if, for any marking reachable from M 0 , the number of tokens in 
each of the places of the Petri net never exceeds a finite 
number k. If places in Petri nets are used to represent 
buffers, the boundedness property can be used to guarantee the 
lack of the buffers overflowing. 

A Petri net ( N, M 0 ) is considered to be live if it is 
possible to eventually fire any transition of the net from the 
current marking, by progressing through some further firing 
sequence. Thus, a system described by a live Petri net is 
guaranteed to be free of deadlock, no matter what firing 
sequence is chosen. (Murata, 1989) 

Reversibility is a property where the initial marking 
M 0 of a Petri net is reachable from any marking reachable from 

M 0 - 

There are multiple definitions of fairness in Petri 
nets. Two of these are bounded- fairness ( B-fair ) and global 
fairness . A Petri net is B-fair if, for every pair of 
transitions in the net, there is an upper limit (or bound) on 
the number of times that either can fire before the other 
transition can fire. A Petri net is globally (or 
unconditionally) fair if for every firing sequence reachable 
from M 0 , is finite, or every transition in the net appears 
infinitely often in the firing sequence. 

Reachability and liveness analysis using Petri nets 
are further discussed in section B of this chapter. 



11 



2. Communicating Finite State Machines (CFSM) 



The Communicating Finite State Machine (CFSM) 
methodology was developed for use in modelling communications 
protocols. The CFSM model represents and specifies 

communicating processes as finite state machines. Each pair 
of these processes are connected by a full duplex First-in 
First-out (FIFO) channel (that can be represented by two one- 
way FIFO queues) (Brand, 1983). 

CFSMs are directed labeled graphs with two types of 
edges, sending and receiving . The edges are labeled with the 
name of a message. The label is prepended with a minus sign 
for a sending arc, and a plus sign for a receiving arc. The 
nodes of a CFSM represent its states, and each CFSM has its 
starting state identified by an initial node. If a CFSM node 
has only sending edges, it is referred to as a sending node. 
Similarly, a node with only receiving edges is a receiving 
node. A mixed node is one with both sending and receiving 
edges (Gouda, 1986), (Lundy, 1988). A formal CFSM model for 
an arbitrary number of processes or machines is given in Table 
II (Brand, 1983). 

To illustrate CFSM, we will simplify to using a two 
machine network. Let M and N be two CFSMs sharing the same 
set G of messages. We will call W = (M, N) a network. The 
global state of network W is represented by the four-tuple 
(m, c m , c n/ n) , where m and n are nodes (states) of M and N, 
and c m and c„ represent messages from G being passed from M to 



12 



